Security

I'm working though some training labs from a Clearpass class I took last year. I setup a captive portal guest between my controller and CPPM everything works great, but I can't get the CoA to work. When I open the access tracker and change status it won't terminate the user. When I go look at the logs on the controller which I setup debug process Authmgr I get this May 27 10:29:38 :121006:  <3810> <WARN> |authmgr| |aaa| RADIUS (RFC 3576): Ignoring request from unknown client 10.20.20.200. I have verifed the RFC 3576 server shared key is correct matches my radius server configuration. Is there another setting on the controller that I need to set I can't find it anything.

Other then the CoA everything else with reagard to radius works fine I have already done some 802.1x labs no issues.

Some questions:

• What is your Clearpass version 6.7.x or 6.6.x ?
• What is your 3810 switch firmware ?

CPPM > Configuration > Network > Devices

Be sure you use the correct Vendor Name in your NAD configuration.

I make the mistake before that the Vendor Name isnt Aruba but HP Enterprise.

On your switch configuration be sure that you configured this:

radius-server host "ip-clearpass" dyn-authorization

Iam not 100% sure but i think it was firmware release 16.04 is needed to do this.

CPPM version 6.6  Aruba 7005 wireless controller is the NAD. Test device is a ipad & win 7. Connecting using service guest local guest user account. Also tested it with 802.1x local user account both connect fine but when I try to change the CoA change status It says NAD does not respond. The controller log I posted above says it doesn't seem to reconize the server eventhough it authenticated with it.

Do you have a RFC 3576 profile added to the proper AAA profile?

Can you upload some screenshots of your AAA profile and Server Group?

Does this help you?

Here is some of the controller config  Thanks for the pictures I usualy use CLI as you can see the key is the same.

ap-group "New-Group"
   virtual-ap "secure"
   virtual-ap "guest"
   enet2-port-profile "NoAuthWiredPort"
   enet3-port-profile "NoAuthWiredPort"
   enet4-port-profile "NoAuthWiredPort"
   ap-system-profile "apsys_prof-uwk73"


wlan virtual-ap "guest"
   aaa-profile "Captive_Portal-aaa_prof"
   ssid-profile "Captive_Portal-ssid_prof"
   vlan 1

aaa profile "Captive_Portal-aaa_prof"
   initial-role "Captive_Portal-cp_prof"
   mac-server-group "cppm"
   radius-accounting "cppm"
   rfc-3576-server "10.10.10.200"

aaa server-group "cppm"
 auth-server CPPM

aaa authentication-server radius "CPPM"
   host "10.20.20.200"
   key "aruba"

aaa rfc-3576-server "10.10.10.200"
   key "aruba"

Good catch there 10.20.20.200 vr rfc 10.10.10.200  LOL eyes play tricks on ya thanks  Now I just have to figure out when my kids go to snapchat they get disconnected from the wireless :)